公开(公告)号：US08387111B2

公开(公告)日：2013-02-26

申请号：US10002439

申请日：2001-11-01

申请人： Lawrence Koved ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam ,  Marco Pistoia ,  Bruce Arland Rich

发明人： Lawrence Koved ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam ,  Marco Pistoia ,  Bruce Arland Rich

IPC分类号： G06F12/14

CPC分类号： G06F21/53 ,  G06F2221/2145

摘要： A method and apparatus for type independent permission based access control are provided. The method and apparatus utilize object inheritance to provide a mechanism by which a large group of permissions may be assigned to a codesource without having to explicitly assign each individual permission to the codesource. A base permission, or superclass permission, is defined along with inherited, or subclass, permissions that fall below the base permission in a hierarchy of permissions. Having defined the permissions in such a hierarchy, a developer may assign a base permission to an installed class and thereby assign all of the inherited permissions of the base permission to the installed class. In this way, security providers need not know all the permission types defined in an application. In addition, security providers can seamlessly integrate with many applications without changing their access control and policy store semantics. Moreover, application providers' security enforcement is no dependent on the security provider defined permissions. The method and apparatus do not require any changes to the Java security manager and do not require changes to application code.

摘要翻译： 提供了一种用于基于类型独立许可的访问控制的方法和装置。 该方法和装置利用对象继承来提供一种机制，通过该机制，可以将大量的权限组分配给代码源，而不必对代码源明确地分配每个单独的权限。 基本权限或超类权限与继承层级或权限级别中的基本权限之下的继承或子类权限一起定义。 在这样的层次结构中定义了权限之后，开发人员可以为已安装的类分配一个基本权限，从而将基本权限的所有继承的权限分配给已安装的类。 以这种方式，安全提供程序不需要知道应用程序中定义的所有权限类型。 此外，安全提供商可以无缝地集成许多应用程序，而无需更改其访问控制和策略存储语义。 此外，应用程序提供商的安全执行不依赖于安全提供程序定义的权限。 该方法和设备不需要对Java安全管理器进行任何更改，也不需要更改应用程序代码。

公开(公告)号：US08112370B2

公开(公告)日：2012-02-07

申请号：US12235900

申请日：2008-09-23

申请人： Sridhar R Muppidi ,  Nataraj Nagaratnam ,  Anthony Joseph Nadalin

发明人： Sridhar R Muppidi ,  Nataraj Nagaratnam ,  Anthony Joseph Nadalin

IPC分类号： G06N5/00

CPC分类号： G06F21/604

摘要： A method, system, and computer usable program product for classification and policy management for software components are provided in the illustrative embodiments. A metadata associated with an application or component is identified. A mapping determination is made whether the metadata maps to a classification in a set of classifications. A policy that is applicable to the classification is identified and associated with the classification. If the mapping determination is deterministic, the component is assigned to the classification and the policy associated with the classification is associated with the component. If the mapping determination is not deterministic, a user intervention may be necessary, the component may be classified in a default classification, or both. Because of the policy being associated with the classification, associating the policy with the component may occur based on the metadata of the application or component and its resultant classification.

摘要翻译： 在说明性实施例中提供了用于软件组件的分类和策略管理的方法，系统和计算机可用程序产品。 识别与应用或组件相关联的元数据。 做出映射确定是否元数据映射到一组分类中的分类。 识别适用于分类的策略并与分类相关联。 如果映射确定是确定性的，则将组件分配给分类，并且与分类相关联的策略与组件相关联。 如果映射确定不是确定性的，则可能需要用户干预，该组件可以被分类为默认分类，或者两者。 由于与分类相关联的策略，将策略与组件相关联可以基于应用或组件的元数据及其合成分类而发生。

公开(公告)号：US07475239B2

公开(公告)日：2009-01-06

申请号：US10251502

申请日：2002-09-20

申请人： Carroll Eugene Fulkerson, Jr. ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

发明人： Carroll Eugene Fulkerson, Jr. ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

IPC分类号： H04L9/00 ,  H04L9/32 ,  G06F7/04 ,  G06F11/00

CPC分类号： H04L63/168

摘要： A pluggable trust adapter architecture that accommodates a plurality of interceptors is provided. Each interceptor is adapted to perform security processing of communications having a specific protocol. Specifically, when a communication is received, it will be routed from a channel router to a specific interceptor based on the protocol of the communication. The interceptor will then “security” process the communication (e.g., extract data, perform verification, etc.). Once the interceptor has processed the communication, the extracted data and the communication itself will be passed to an authorization system for authorization.

摘要翻译： 提供了容纳多个拦截器的可插拔信任适配器架构。 每个拦截器适于执行具有特定协议的通信的安全处理。 具体来说，当接收到通信时，将根据通信的协议从通道路由器路由到特定的拦截器。 拦截器然后“安全”处理通信（例如，提取数据，执行验证等）。 一旦拦截器处理了通信，提取的数据和通信本身将被传递给授权系统进行授权。

公开(公告)号：US20080168528A1

公开(公告)日：2008-07-10

申请号：US11619672

申请日：2007-01-04

申请人： Dah-Haur Lin ,  Satoshi Hada ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

发明人： Dah-Haur Lin ,  Satoshi Hada ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

IPC分类号： G06F21/00

CPC分类号： H04L63/102 ,  G06F21/53 ,  G06F21/6218 ,  G06F2221/2105 ,  G06F2221/2141 ,  H04L63/105 ,  H04L63/168

摘要： The present invention implements a set of interfaces for a standard Java execution environment to provide authorization with conditional permissions. In particular, a framework enables a provider to provide a condition-based runtime authorization decision when a caller entity requests a Java resource. To this end, during a policy configuration certain “Conditions” may be associated with a standard Java Permission object using a ConditionalPermission class. Each “Condition” may be represented in one of a set of different conditions (e.g., containment, logical, comparison, owner and regular expression conditions) using various name-value pairs of “AttributeName” objects. During runtime, an “implies” method in the ConditionalPermission class returns true if the argument permission is implied by the wrapped permission and the additional “Conditions” are evaluated to be true. The ConditionalPermission class allows the caller to seamlessly instrument an instance evaluation “Condition” into a regular permission evaluation and to hand off this evaluation to a provider to facilitate an instance-based runtime authorization decision. The framework is highly flexible and provides for a wide-range of possible fine-grained policy and instance-based “Conditions” for authorization evaluation.

摘要翻译： 本发明实现了用于标准Java执行环境的一组接口，以提供具有条件许可的授权。 特别地，当呼叫者实体请求Java资源时，框架使得供应商能够提供基于条件的运行时授权决定。 为此，在策略配置期间，某些“条件”可能与使用ConditionalPermission类的标准Java Permission对象相关联。 可以使用“AttributeName”对象的各种名称 - 值对，以一组不同条件（例如，包含，逻辑，比较，所有者和正则表达条件）中的一个来表示每个“条件”。 在运行时，ConditionalPermission类中的“暗示”方法如果被包装的权限隐含参数许可，并且额外的“条件”被评估为true，则返回true。 ConditionalPermission类允许调用者将实例评估“条件”无缝地仪器仪器置于常规权限评估中，并将此评估移交给提供者以促进基于实例的运行时授权决策。 该框架是高度灵活的，并提供广泛的可能的细粒度政策和基于实例的“条件”进行授权评估。

公开(公告)号：US07124192B2

公开(公告)日：2006-10-17

申请号：US09943618

申请日：2001-08-30

申请人： Robert Howard High, Jr. ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

发明人： Robert Howard High, Jr. ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

IPC分类号： G06F15/16 ,  G06F7/00 ,  G06F17/30

CPC分类号： H04L63/20 ,  H04L63/102 ,  H04L63/105 ,  Y10S707/99939

摘要： Methods, systems, and computer program products are disclosed for protecting the security of resources in distributed computing environments. The disclosed techniques improve administration and enforcement of security policies. Allowed actions on resources, also called permissions, (such as invocations of particular methods, read or write access of a particular row or perhaps a particular column in a database table, and so forth) are grouped, and each group of permissions is associated with a role name. A particular action on a particular resource may be specified in more than one group, and therefore may be associated with more than one role. Each role is administered as a security object. Users and/or user groups may be associated with one or more roles. At run-time, access to a resource is protected by determining whether the invoking user has been associated with (granted) at least one of the roles required for this type of access on this resource.

公开(公告)号：US07051201B2

公开(公告)日：2006-05-23

申请号：US10099739

申请日：2002-03-15

申请人： Gennaro A. Cuomo ,  Brian Keith Martin ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

发明人： Gennaro A. Cuomo ,  Brian Keith Martin ,  Anthony Joseph Nadalin ,  Nataraj Nagaratnam

IPC分类号： G06F1/26

CPC分类号： G06F21/6227 ,  H04L63/0209 ,  H04L63/0428

摘要： A method for securing cached data in an enterprise environment. The method can include processing a request to locate data in a query cache. If the data can be located in the query cache, the data can be retrieved from the query cache. Additionally, at least one encrypted portion of the retrieved data can be decrypted. Finally, the decrypted portion and any remaining unencrypted portion of the retrieved data can be forwarded to a requesting client. By comparison, if the data cannot be located in the query cache, the data can be retrieved from a back-end data source over a computer communications network, and forwarded to the requesting client. Additionally, at least a portion of the retrieved data can be encrypted and both the encrypted portion and any remaining unencrypted portion can be stored in the query cache.

公开(公告)号：US20100076914A1

公开(公告)日：2010-03-25

申请号：US12235900

申请日：2008-09-23

申请人： Sridhar R. Muppidi ,  Nataraj Nagaratnam ,  Anthony Joseph Nadalin

发明人： Sridhar R. Muppidi ,  Nataraj Nagaratnam ,  Anthony Joseph Nadalin

IPC分类号： G06F15/18 ,  G06N5/02

CPC分类号： G06F21/604

摘要： A method, system, and computer usable program product for classification and policy management for software components are provided in the illustrative embodiments. A metadata associated with an application or component is identified. A mapping determination is made whether the metadata maps to a classification in a set of classifications. A policy that is applicable to the classification is identified and associated with the classification. If the mapping determination is deterministic, the component is assigned to the classification and the policy associated with the classification is associated with the component. If the mapping determination is not deterministic, a user intervention may be necessary, the component may be classified in a default classification, or both. Because of the policy being associated with the classification, associating the policy with the component may occur based on the metadata of the application or component and its resultant classification.

摘要翻译： 在说明性实施例中提供了用于软件组件的分类和策略管理的方法，系统和计算机可用程序产品。 识别与应用或组件相关联的元数据。 做出映射确定是否元数据映射到一组分类中的分类。 识别适用于分类的策略并与分类相关联。 如果映射确定是确定性的，则将组件分配给分类，并且与分类相关联的策略与组件相关联。 如果映射确定不是确定性的，则可能需要用户干预，该组件可以被分类为默认分类，或者两者。 由于与分类相关联的策略，将策略与组件相关联可以基于应用或组件的元数据及其结果分类而发生。

公开(公告)号：US10984457B2

公开(公告)日：2021-04-20

申请号：US11849210

申请日：2007-08-31

申请人： Gregory T. Byrd ,  Michael G. McIntosh ,  Nataraj Nagaratnam ,  Anthony J. Nadalin

发明人： Gregory T. Byrd ,  Michael G. McIntosh ,  Nataraj Nagaratnam ,  Anthony J. Nadalin

IPC分类号： G06Q10/00 ,  G06Q30/06

摘要： Embodiments of the present invention address deficiencies of the art in respect to privacy data management and provide a novel and non-obvious method, system and computer program product for trusted statement verification for data privacy. In one embodiment of the invention, a method for trusted statement verification for data privacy can be provided. The method can include deducing a claim from an attribute for personal data for an end user, receiving a request from a personal data consumer to vouch for an assertion based upon the attribute, comparing the assertion to the claim, and providing a voucher for the assertion to the personal data consumer on behalf of the end user if the claim supports the assertion without revealing the attribute to the personal data consumer.

公开(公告)号：US09727899B2

公开(公告)日：2017-08-08

申请号：US12791938

申请日：2010-06-02

申请人： Sanjay Mecheri Kesavan ,  Nataraj Nagaratnam ,  Lohitashwa Thyagaraj

发明人： Sanjay Mecheri Kesavan ,  Nataraj Nagaratnam ,  Lohitashwa Thyagaraj

IPC分类号： G06Q10/10 ,  G06Q30/02 ,  G06Q30/06 ,  G06Q10/04 ,  G06Q10/06 ,  G06Q30/00

CPC分类号： G06Q30/06 ,  G06Q30/018 ,  G06Q30/0185

摘要： A method, system, and computer usable program product for improved manufacturing and distribution to avoid counterfeit products in a supply chain are provided in the illustrative embodiments. For manufacturing to avoid a counterfeit product, a product to be manufactured is selected. Production volume information is determined, the production volume information including a number of units of the product to be produced. An identifier of a manufacturer of the product, an identifier of the product, and the production volume information are sent and several sets of identifiers are received. Each set of identifiers include identifiers corresponding to a customer reference number (CRN), a customer acknowledgment number (CAN), and a merchant acknowledgment number (MAN). One set of identifiers is uniquely associated with one unit of the product being produced. A unit of the product is manufactured such that the unit includes a corresponding set of identifiers.

公开(公告)号：US09665577B2

公开(公告)日：2017-05-30

申请号：US13471541

申请日：2012-05-15

申请人： Shalini Kapoor ,  Palanivel A. Kodeswaran ,  Sridhar R. Muppidi ,  Nataraj Nagaratnam ,  Vikrant Nandakumar

发明人： Shalini Kapoor ,  Palanivel A. Kodeswaran ,  Sridhar R. Muppidi ,  Nataraj Nagaratnam ,  Vikrant Nandakumar

IPC分类号： G06F17/30 ,  H04W12/08

CPC分类号： G06F17/3007 ,  H04W12/08

摘要： A method, system and computer program product for controlling enterprise data on mobile devices. Data on a mobile device is tagged as being associated with either enterprise data or with personal data. Upon identifying the storage location of the tagged data and the identifier of the application that generated the tagged data, the tag, the storage location of the tagged data and the identifier of the application are stored in an index. A mobile agent residing on the mobile device may be directed by a mobile device management server of the enterprise to perform various actions (e.g., deleting, encrypting, backing-up) on the enterprise data using the index. In this manner, the enterprise has the ability to control their applications and data that resides on employees' mobile devices to ensure that such data is not lost or used in a manner that is contrary to the wishes of the employer.